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Abstract —Network intrusion detection is the process of identi¬ 
fying malicious behaviors that target a network and its resources. 
Current systems implementing intrusion detection processes ob¬ 
serve traffic at several data collecting points in the network but 
analysis is often centralized or partly centralized. These systems 
are not scalable and suffer from the single point of failure, i.e. 
attackers only need to target the central node to compromise 
the whole system. This paper proposes an anomaly-based fully 
distributed network intrusion detection system where analysis is 
run at each data collecting point using a naive Bayes classifier. 
Probability values computed by each classifier are shared among 
nodes using an iterative average consensus protocol. The final 
analysis is performed redundantly and in parallel at the level 
of each data collecting point, thus avoiding the single point of 
failure issue. We run simulations focusing on DDoS attacks with 
several network configurations, comparing the accuracy of our 
fully distributed system with a hierarchical one. We also analyze 
communication costs and convergence speed during consensus 
phases. 
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I. Introduction 

Security experts and researchers have proposed and im¬ 
plemented different strategies to defend computer installa¬ 
tions against attacks. Among them intrusion detection systems 
(IDSs) seek specifically to identify attacks that could target 
a computer or a network and its resources. IDSs have two 
main components: a data audit component, sensors or log files, 
that monitor/collect data on the system behavior; a detection 
method component which analyzes the observed/collected data 
to detect malicious activities. In terms of the audit compo¬ 
nent, IDSs are classified as host-based (HIDS) or network- 
based (NIDS) Q. Host-based IDSs detect attacks to a com¬ 
puter system by monitoring mainly operating system events. 
Network-based IDSs detect attacks to nodes connected by a 
network by monitoring network TCP/IP events. In terms of 
detection methods, IDSs are further classified as signature- 
based or anomaly-based detection systems. Signature-based 
systems monitor traffic for known attack patterns (signatures), 
similar to virus scanners that protect personal computers. 
Signature-based IDSs efficiently detect existing threats but 
always lag behind new threads. Anomaly-based systems Q 
detect intrusions by classifying observed traffic as either nor¬ 
mal or anomalous based on a profile that characterizes normal 


behavior. Anomaly-based systems are better at detecting new 
types of attacks but they usually experience a high level of 
false positives (report an attack when there is none). 

Increasingly, networks are themselves interconnected and 
more heterogeneous, which make them the target of sophis¬ 
ticated attacks that could spread over different administrative 
domains. Various new NIDS architectures have been proposed 
to protect these networks. In centralized NIDS, the audit 
component of the system is distributed, collected audits are 
forwarded to one or a small number of nodes where the 
analysis takes place. Hierarchical NIDS are often a network 
of several local NIDSs, each of them protecting a different 
sub-network. The local NIDSs decide about the status of their 
sub-network, decisions that are sent to a centralized node 
which makes a final decision about the status of the whole 
network, often using a simple majority rule. This approach 
is more scalable and it allows to detect attacks that will not 
be detected using a single NIDS Q. Hierarchical NIDSs can 
be degraded substantially by taking down the root node of 
the system. A truly distributed NIDS is one where the data 
collection component and the analysis component of the IDS 
are combined in a single component residing at every data 
collection point. Cooperating security managers (CSM) Q is 
one implementation of this type of NIDS. A similar approach 
for cloud computing is proposed in 0 - Such distributed 
systems incur communication overheads since, to complete its 
analysis phase, each node must receive information such as 
audit data from all the other nodes. Mobile agent-based NIDSs 

address this communication issue through code migration. 
In this design, mobile NIDS agents migrate between nodes 
to carry the analysis.The issue with the mobile agent-based 
approach is the time needed to compute the final analysis may 
exceed the real time requirements of a NIDS. 

The design of NIDSs can be represented as a three phases 
process 0: parameterization, training and detection. The main 
purpose of parameterization is features extraction; identifying 
those features that separate normal from attack traffic. The 
outcome of this phase is a features vector /i,/ 2 ,...,/m, 
m is the number of features. The training and detection 
phases depend on the method used to process feature vectors. 
In 0, anomaly-based detection methods are classified as 
either statistical based, knowledge based or machine learning 
based (see Q for a more recent and different taxonomy). 
Our proposed NIDS relies on the Naive Bayes classifier as 
processing method, which can be considered as a machine 


learning approach to anomaly-based detection. 

Naive Bayes classifiers apply the Bayes rule 

P{H\0) =aP{H)P{0\H) (1) 

to infer a probability distribution on a set of e^lanatory 
hypotheses about the behavior of a system. In (m, P{H) 
denotes the probability distribution for the specific set of 
hypotheses H = {ha,hn}, traffic is normal or traffic 
is anomalous ha- An observation is denoted by O, it is a 
vector oi, 02,..., Om of m values, one value for each feature. 
The distribution P{H) is based on prior observations or a 
training phase, it is identified as “prior” knowledge. Similarly, 
conditional probabilities P{0\H) express the “likelihood” the 
combination of values Oi G O, i = l..m can occur conditioned 
by each hypothesis, it is learned during the training phase of 
the Bayesian system. The Bayes rule computes the posterior 
probability distribution P{H\0) which, after consideration of 
the observation O and the priors, gives the probability that 
the observed traffic is normal and anomalous. For example, 
the probability of anomalous traffic P{ha\0) is computed as 
aP{ha) rifci ^’(ofcl^o), where a is a normalization constant. 

The present paper proposes a fully distributed NIDS. The 
proposed system uses n NIDS modules each running a Naive 
Bayes classifier to compute distributively posterior probably 
distributions about the state of the network. The detection com¬ 
ponent of this distributed system has two phases. In the first 
phase, local likelihood probabilities P{Oi\h) = JlfeLi P{ok\h) 
are computed by each module i based on the traffic observation 
o\, O 2 , ■ ■ ■, ol^ of module i. The second phase computes the 
joint distribution of the local likelihoods obtained in the first 
phase. Assuming conditional independence of the n local 
observations, the joint distribution P{0\h), O = Ui{Oi}, is 
the product of the local likelihoods: P{0\h) = nr=i 
In this second phase, NIDS modules execute cooperatively an 
average consensus algorithm 0^0 which computes the joint 
distribution P{0\h) asymptotically and in parallel without the 
help of any centralized storage or computation. 

Our work is based on recent proposals about average con¬ 
sensus algorithms in sensor networks for distributed hypothesis 
testing, distributed detection, multi-target tracking and others 
pO) . To the best of our knowledge it is the first time these ap¬ 
proaches are adapted to distributed intrusion detection systems. 
Therefore, this is the main contribution of this research. The 
paper is organized as follow. Next section introduces average 
consensus. Section III provides a formulation of the average 
consensus problem for a fully distributed intrusion detection 
system. Section IV describes our distributed algorithm and 
analyzes its behavior with different simulated NIDS networks. 
Finally, Section V concludes. 


or control devices compute the same response to a system 
behavior. Though they may be provided with different inputs, 
the computing devices have to agree on a same output. 
Consensus problems have been studied in computer science 
|TT), physics i fT^ , operations research GD and control theory 
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Average consensus is a consensus problem where agents 
must agree on the average sum of the input values: 
(i) ^”^1 a:i(0), for n the number of agents. The distributed 
averaging problem is solved cooperatively by a network 
of agents where each agent i iteratively computes a linear 
weighted sum of Xi{t) and Xj{t), j G Np. 


Xi{t + 1) = Xi(t) + ^ Wij{xj{t) - Xi{t)), f = 0,1,... (2) 


where Xi{0) = Vi and Wij is the weight of the edge connecting 
agents i and j in the network. 

Important issues are whether the iterates converge to the 
consensus value and how fast they converge (how many 
iterations are required for convergence). Convergence and the 
speed of convergence are analyzed through the weight matrix 
W (also called the consensus matrix) which is formed from 
the row vectors in Wij of each agent i. Proofs of convergence 
rely on the network connectivity assumption and on properties 
of the graph Laplacian. A network is connected if there is path 
in the network between each pair of agents. If a network is 
connected then it has a graph Laplacian. The graph Laplacian 
L of a network is a n x n matrix where L[i,j] is given as: 


r -1 if j G Mi 

r [ ■ i _ J l-^il if * = J (|A/i| is the number of neighbors 

~ I to process i) 

y 0 otherwise 

The conditions for convergence are the following fTsl : 

1) W has the same sparsity as the graph Laplacian 

2) W* = W 

3) W1 = 1 

4) The norm ||W — J|| < 1 

in which W‘ denotes the transpose matrix of W, 1 denotes the 

vector of all ones and J = It is relatively easy to find a 

weight matrix that satisfies these condition. For example, W = 
I — aL, with 0 < a < | is such weight matrix where 

max \Mi I is the neighborhood with the largest cardinality and 
I is the identity matrix. A second example is the Metropolis- 
Hasting matrix: 


IT Average consensus 

Consensus is the problem of finding an agreement among 
autonomous entities such as peoples, autonomous software 
agents or computers in a network. Each agent i has a state 
variable xt initialized to some value Vi- Agents must agree 
on a single output value while communicating directly with 
only a subset of the other agents, this subset is denoted by 
Mi, the neighborhood of agent i. Consensus problems arise 
for example when multiple sensors observe a same object 


l+max(di,dj) I- -G J J t J\i 

= { 1 - EfcGM if * = J (3) 

[0 if i 7 ^ j and j ^ Mi 

where di = \Mi\, i.e. the number of processes adjacent to 
process i. 

However, selecting the coefficients of weight matrix W 
such to optimize the speed of convergence is still very much 
a research issue. Interested readers can consult 0, 03- 






III. A CONSENSUS BASED NETWORK INTRUSION 
DETECTION SYSTEM 

We formulate the average consensus problem for a fully 
distributed network-based intrusion detection system. It is 
composed of n NIDS modules connected by an independent 
and secure network. Without lost of generality, we assume that 
the links connecting pairs of NIDS modules are direct physical 
links. It is assumed that this network is connected, though it 
does not fully connected pairwise all the n NIDS modules. 

Each NIDS module i has two state variables xf and a;". 
The initialization of the state variables is performed in the first 
phase of the system as follows: Once a module i has completed 
a traffic observation, it computes its local likelihood 

m 

P{0,\K) = P{o\, 0 ^,...,oUha) = l[{ol\ha) (4) 

fc=l 

(respectively P{Oi\hn)). The state variables are initialized us¬ 
ing the logarithm of the local likelihoods: xf=\0g{P{0,\ha)) 
and X? = log{P{0^\hn)). 

The second phase computes the joint distribution of the 
local likelihoods (0 |(iq) = Jir^i PiOi\ha). The computation 
of this product of probabilities is transformed into the compu¬ 
tation of an average sum using the laws of logarithms: the log 
of a product is equal to the sum of the log of the terms in the 
product. Therefore, log{P{0\h)) = log(nr=i ~ 

^"^1 log(P(Oi|/ia)- Taking the average of the last sum we 
obtain 

1 1 " 

= - \og{PiO\ha)) = - V log(P(0,|/i„)) (5) 

n n ' 

i—l 

(respectively Q")- Formulated as an average sum, the terms 

and Q" can be computed distributively and asymptotically 
using the average consensus iterate in Q. Upon convergence 
of its iterate, i.e. when \x{t + 1) — x{t)\ < e (for e sufficiently 
small), a NIDS module makes use of the intermediate results 
(5“ and Q" to compute locally the joint distribution of the 
local likelihoods: P{0\ha) = exp{nQ°‘) k, YYi^iP{Oi\ha) 
(respectively P(0|/i„) = exp{nQ^)). At this point, a module 
has all the information needed to execute naive Bayesian 
inferences on the state of the overall network, i.e. to compute 
the posterior probability P(/i|0) = aP{h)P{0\h) that the 
network traffic is normal or anomalous. 

IV. Experimental analysis 

This section compares our intrusion detection system based 
on average consensus with one based on a hierarchical ap¬ 
proach. In contrast to average consensus, the network wide 
detection phase of the hierarchical approach is implemented by 
sending the local likelihoods to a central node which computes 
directly the joint distribution. 

All comparisons between the two approaches are based on 
simulations of NIDS networks of different sizes and topolo¬ 
gies. Each simulation takes in input a test set and a graph 
representing an NIDS network topology. Network connections 
for the test set come from the NLS-KDD data set (n). an 
improved version of KDD’99 data set. The KDD’99 data set 
has been generated by the MIT Lincoln Laboratory for the 
evaluation of computer network intrusion detection systems 


under the sponsorships of the Defense Advanced Research 
projects Agency (DARPA) and the Air force Research Lab¬ 
oratory (AFRL) fig, 1^. As for the KDD’99 data set, 
connections in the NLS-KDD data set are described in terms 
of 41 features. 

We have run tests with four categories of NIDS network 
topologies represented by four types of non-oriented input 
graphs: rings, 2-dimensional torus, the Petersen graph (10 
nodes 15 edges) and several random graphs having the same 
number of vertices and edges as in the Petersen graph. Ring, 
torus and the Petersen graph are regular graphs, each vertex 
in a given graph has the same degree: two for rings, three for 
the Petersen graph and four the 2-dimensional torus. While 
the number of vertices and edges is constant among random 
graphs, in a same graph the vertex degree may vary from one 
vertex to another. Each vertex in a graph represents a NIDS 
module. The degree of a vertex stands for the size of the 
neighborhood JV of the associated NIDS module. Each graph 
type represents a different NIDS network topology. Finally, 
the different numbers of vertices in the ring and torus graphs 
represent networks of different sizes, respectively networks 
with 9, 25, 49, 81 and 121 NIDS modules. 

Algorithm 1 

Step 0 Training phase; SimulationLoop = 0; 

Step 1 First phase Read values 0 i, 02 ,... 0 m corre¬ 
sponding to m features; 

P{0\ha) — n^i P{ok\ha)', Compute local like¬ 
lihood 

x“(0) =log(P(0|/i„)); 

Step 2 Second phase (consensus loop) 

x“(l) = x“(0) -f Wjix'^iO) - x“(0)); 

f = 1; 

while (|x(<) — x{t — 1)1 < e) 
x“(f-fl) = 

x^m- 
f f + 1; 

P{0\ha) = exp{nx°‘{t)-. 

Step 3 Compute network-wide posterior prohahilities 

p{ha\0) = ap{ha)P{0\ha)\ 

Step 4 Compute decision If > r raises alert; 

Step 5 Simulation termination test SimulationLoop-H-; 

If SimulationLoop < 1000, goto to Step 1; 

Fig. 1. Average consensus based algorithm for network intrusion detection 

As our solution to intrusion detection is fully distributed, a 
simulation consists to execute independently the code of each 
NIDS module in a given network topology. The code is the 
same for each module, it is summarized in Algorithm 1, which 
has been implemented in Java. 

Algorithm 1 takes in input a training set, a weight matrix 
and some control parameters. The control parameters are the 
convergence parameter (e) and the decision parameter (r). The 
convergence parameter is the stopping criterion of the consen¬ 
sus loop. When \x{t) — x{t — 1)| < e, i.e. when the change 
in the consensus value is smaller than e, the NIDS module 
stops receiving/sending updates from/to its neighboring NIDS 
modules. This parameter is set 0.001 in our tests. The decision 
parameter r set the threshold needed to raise an attack alert 



based on network-wide posterior probabilities. This parameter 
is used for both the hierarchical and the consensus approaches, 
with the same value in both cases. 


We have run tests with the following three input weight 
matrices ||^: 


• The Best-constant edge weight scheme 


^ Ai(L) + A„_i(L) 

where L is the Laplacian matrix of the NIDS network, 
Ai, Xn-i are the first and n — 1 eigenvalues of L. 


The Local-degree weights scheme where the weight 
of an edge is the largest degree of its two adjacent 
vertices 

max{di, djl 

The Max-degree weight where dmax is the largest 
degree of the vertices in the network is a constant 
weight scheme 

M'« = 


All three matrices satisfy the convergence conditions described 
in Section HIl 


Step 0 of Algorithm 1 represents the training phase of an 
NIDS module. This phase uses the training data from NLS- 
KDD. Steps 1 to 5 drive the simulation loop. In Step 1, a 
connection from the NLS-KDD data set is read. Next, the 
state variable a:“(0) is initialized with the logarithm of the 
local likelihood (to shorten Algorithm 1, we only shows the 
computation of the anomalous hypothesis). Step 1 returns the 
likelihood that the corresponding connection is normal and 
the likelihood that it is anomalous. Note that step 1 has been 
implemented using the naive Bayes Classifier from the weka 
library http://www.cs.waikato.ac.nz/~remco/weka_bn, develop 
by the Machine Learning Group project at the University of 
Waikato. Step 2 drives the consensus loop. After computing the 
value of and initializing the loop iterate variable t, each 

iteration of the consensus loop sends the value of each NIDS 
module state variable to its neighbors in the network topology, 
wait to receive the corresponding values from its neighbors and 
then computes a weighted sum of the differences between the 
value of the neighboring state variables and the value of its own 
state variables. This communication/computation sequence is 
repeated until convergence. The variable Wj in step 2 is the 
weight of the edge from a NIDS module to neighbor j in 
the network, this value is provided by the weight matrix. 
Once the consensus loop stops, the inverse of the log and 
average functions are applied to a:“ (t) to get an approximation 
P{0\ha) of the joint distribution of the local likelihoods. Step 
3 takes this approximation and computes an approximation 
of the network-wide posterior probability of each hypothesis. 
In Step 4, a decision is made whether the observed network 
behavior is normal or anomalous. 


Algorithm 1 describes the behavior of each NIDS module. 
We now describe the behavior of simulations, where one 
simulation consists to iterate several times the execution of all 
the NIDS modules in a given network topology. Simulations 
have a few control parameters. For example, NIDS modules 


in a given simulation can be trained with a same training 
set or with different training sets and can be given the same 
or different weight matrices. Considering the objectives of 
this research, we have selected to train the NIDS modules 
with the same data set, and in a given simulation, the NIDS 
modules all take in input the same weight matrix. In a given 
simulation, there is a predehned ratio of normal and anomalous 
connections in the NIDS network. For the tests reported in this 
paper, this ratio is 60%, i.e. 60% of the NIDS modules at a 
given iteration receive anomalous connections. This ratio is 
kept constant during a simulation. The number of iterations 
of the simulation loop is hxed to 1000 (termination criterion 
in Step 5). In one simulation each module executes 1000 
connection readings, therefore a simulated NIDS network with 
9 NIDS modules analyzes 9000 connections, a simulated NIDS 
network with 81 NIDS modules analyzes 81000 connections. 
We simulate synchronous NIDS networks, i.e. a new iteration 
of the simulation loop can only start once the consensus phase 
of all the modules is completed. All the simulations detect only 
Distributed Denial of Service (DDoS) attacks. 

A. Test samples and results 

Tests first analyze the impact of the weight matrices and 
NIDS network topologies on the convergence speed during 
the consensus phases. Both network topologies and weight 
matrices are known to impact the convergence speed of average 
consensus algorithms, and therefore their communication cost. 
Next, we compare the communication cost and the accuracy 
of the consensus versus hierarchical approaches. 

Fig. 2 reports the average number of iterations of the 
consensus loop for the 3 different weight matrices and torus 
networks of respectively 9, 25, 49, 81 and 121 NIDS mod¬ 
ules. Clearly, consensus with the best-constant weight matrix 
converges faster that the two others, which have very similar 
convergence speeds. 


Iterations to convergence 



Number of NIDS modules 


A BestConstant 


Fig. 2. Average number of consensus iterations to convergence 


Using the best-constant weight matrix. Fig. 3 and Fig. 
4 report the average number of iterations of the consensus 
loop for all the network topologies. Fig. 3 compares ring and 
torus topologies, showing that consensus convergence is much 
slower for ring networks. Fig. 4 compares the Petersen network 
(column 1) with 10 other random networks of same size (same 
number of NIDS modules and same number of connections in 
the networks). The Petersen graph is an instance of Ramanujan 
graphs, they are graphs known to have very good convergence 
speed for the average consensus algorithm p0[ . In Fig. 4, the 
Petersen network has a faster convergence compared to the 10 
other random networks. 
















Fig. 3. Convergence speed for ring and torus network topologies 
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Fig. 4. Convergence speed for Petersen and random graphs 

The posterior values computed in Step 3 of Algorithm 
1 depend on joint likelihood distributions that are computed 
approximately in Step 2. The next tests determine whether 
these approximations are detrimental to the capacity of a 
consensus based system to detect anomalous activities by 
comparing the accuracy of the consensus and hierarchical 
approaches. Accuracy measures how often decisions made like 
in Step 4 of Algorithm 1 are the correct one. It is is defined 
as follows: 

TP+ TN 

= tp + tn + fp + fn 

where TP (True positive) is the number of attacks detected 
when it is actually an attack; TN (True negative) is the 
number of normals detected when it is actually normal; FP 
(False positive) is the number of attacks detected when it is 
actually normal; FN (False negative) is the number of normals 
detected when it is actually an attack. 

Fig. 5 reports the results of 63 tests. Tests 0 to 29 concern 
ring (even numbers) and torus (odd numbers) NIDS networks. 
Tests from 0 to 9, 10 to 19 and 20 to 29 report respectively 
the results for local-degree, max-degree and best-constant 
weight matrices. Tests 0-1, 2-3, 4-5, 6-7, 8-9 report results 
for networks having respectively 9, 25, 49, 81 and 121 NIDS 
modules and using the local-degree weight matrix (similarly 
for max-degree and best-constant weight matrices). Tests 30, 
41 and 52 report results for Petersen graphs respectively for the 
local-degree, max-degree and best-constant weight matrices. 
Tests 31 to 40, 42 to 51 and 53 to 62 report results for random 
graphs respectively for the local-degree, max-degree and best- 
constant weight matrices. Fig. 5 shows that the accuracy of 
the hierarchical approach is slightly better than the consensus 
approach, but it is clear that approximating the posterior values 
with consensus is not detrimental to the accuracy of the system. 

The consensus approach to network intrusion detection is 
more scalable because computation is fully distributed. On 


Fig. 6. Comparing the average communication cost of simulation iterations 

the other hand, sharing information to support distributed 
computation incurs communication costs during the consensus 
phases. We now compare the communication cost of the 
fastest consensus approach with the hierarchical approach and 
with a second fully distributed approach to network intrusion 
detection. Communication costs are measured in the number 
of hops used in a message. A message is a communication 
between a pair of NIDS modules, a hop is a direct link between 
two adjacent NIDS modules. For consensus, a message cost a 
single hop as all messages take place between adjacent NIDS 
modules. For hierarchical, the cost of a message is equal to 
the length of the shortest path between a given NIDS module 
and the central module computing the posterior probabilities. 

Fig. 6 reports the average communication cost per iteration 
of the simulations with the best-constant weight matrix and 
the torus network with respectively 9, 25, 49, 81 and 121 
NIDS modules. For consensus, the communication cost of one 
simulation iteration is measured directly from the tests. For 
hierarchical, the communication cost h^e of one simulation 
iteration is h where U is the length of the shortest 

path between module i and the central module and n is the 
number of NIDS modules in the NIDS network. The “dis¬ 
tributed” item in Fig. 6 is the communication cost of typical 
fully distributed approaches where information produced by 
one NIDS module, such as local likelihoods, is sent to all the 
other modules in the NIDS network. Communication cost for 
one simulation iteration is computed as h^o = hce x n — 1 
where hce is communication cost of one simulation iteration 
for the hierarchical approach. As expected. Fig. 6 shows that 
the communication cost of the consensus approach grows 
faster than for hierarchical. This figure also shows that the 
communication cost of fully distributed approaches grow very 
rapidly, and that consensus is quite successful at addressing 
this communication cost issue for distributed systems. 

V. Conclusion 

This paper has described a fully distributed network in¬ 
trusion detection system based on an average consensus al¬ 
gorithm. Our work is more a proof of concepts than an 
actual system. Nonetheless, in our opinion and based on our 
preliminary results, consensus seems a viable alternative to 
implement distributed network intrusion detection systems. 
In future works, we will seek to improve the convergence 
speed of consensus phases by studying a broader range of 
network topologies and weight matrices. We also consider 































Comparing accuracy between hierarchical and consensus 

1.02 


^ 0.98 
c 0.96 
u 0-94 
r 0.92 
a 0.9 

c 0.88 
y 0.86 

0.84 

012345678 9 10111213141516171819 2021222324 25 26 27 28 29 3031323334353637 383940414243444546474849 5051525354555657 5859 606162 

Tests 


■ Hierarchical 

■ Consensus 


Fig. 5. Comparing accuracy between consensus and hierarchical approaches 

to use this approach for intrusion detection in wireless ad 
hoc networks such as MANETS, which have no centralized 
control. Distributed consensus protocols are quite prevalent in 
these networks for addressing diverse coordination problems. 
A group of consensus protocols, called Byzantine consensus, 
address security issues such intrusion in ad hoc networks 
through fault-tolerance mechanisms, they are designed to 
achieve consensus in the presence of nodes with unspecihed, 
potentially malicious behaviors. Intrusion detection systems 
are also very much part of the defense mechanisms for ad 
hoc networks, and as expected, several of them are distributed 
IDSs. However, to the best of our knowledge, none of them 
make use of consensus protocols similar to the one proposed 
in this paper, therefore we intend to explore this avenue as 
future work. 
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